# POC Sniffer Mode
# Quick Configuration Script

# Please change variables below accordingly to your environment
# and then replace all instances of the the strings
# through the script
#
# <mgmt_interface>
# <mgmt_ip>
# <mgmt_netmask>
# <mgmt_gateway>
# <sniffer_interface>
# <faz_ip>
#


# Factory reset at the beginning
exec factoryreset
y
# Wait the reboot

# Disable DHCP Server
config system dhcp server
	delete 1

# Configure management interfaces
config system interface
	edit "<mgmt_interface>"
		set vdom "root"
		set ip <mgmt_ip> <mgmt_netmask>
		set allowaccess ping https ssh http fgfm capwap set type physical
		set alias "Management"
		set snmp-index 1	
	next
end

# and DNS servers
config system dns
    set primary 8.8.8.8
    set secondary 208.91.112.52
end

config router static
      edit 0
          set device "<mgmt_interface>"
          set gateway <mgmt_gateway>
      next
end

# Check your internet connection and name resolution
exec ping www.yahoo.com

# Change AV database
config antivirus settings
    set default-db normal
end

# Update all signatures before continuing
exec update-now

# Check if they are current
get system status


# Configure sniffer interface
config system interface
    edit "<sniffer_interface>"
        set vdom "root"
        set allowaccess ping
        set ips-sniffer-mode enable
        set type physical
        set alias "Sensor"
        set snmp-index 2
    next
end

# Configure security profiles
config system global
    set gui-multiple-utm-profiles enable
end

# AV profile
config antivirus profile
    edit "AV-flow"
        set extended-utm-log enable
        set av-virus-log enable
    next
end

# Application Control sensor
config application list
    edit "default"
        set extended-utm-log enable
        set other-application-log enable
        set log enable
        set unknown-application-log enable
    next
end

# Webfilter profile
config webfilter profile
    edit "flow-monitor-all"
        set extended-utm-log enable
        set options https-url-scan
    next
end

# IPS sensor
config ips sensor
    edit "all_default_pass"
        config entries
            edit 1
                set status enable
            next
        end
    next
end


# Firewall Policy to enable Webfilter categories on ARA report
config firewall policy
    edit 1
        set srcintf any
        set dstintf any
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set av-profile "AV-flow"
        set webfilter-profile "flow-monitor-all"
        set ips-sensor "all_default_pass"
        set application-list "default"
        set profile-protocol-options "default"
        set nat enable
    next
end

# Sniffer Policy
config firewall sniffer
    edit 0
        set logtraffic all
        set interface "<sniffer_interface>"
        set application-list-status enable
        set application-list "default"
        set ips-sensor-status enable
        set ips-sensor "all_default_pass"
        set av-profile-status enable
        set av-profile "AV-flow"
        set webfilter-profile-status enable
        set webfilter-profile "flow-monitor-all"
    next
end
    
# Logging to FortiAnalyzer
config log fortianalyzer setting
    set status enable
    set server <faz_ip>
    set reliable enable
end

# Check if traffic is being received
diagnose sniffer packet <sniffer_interface> none 1

